3602.1P02-000 



-21 - 
CLAIMS 

What is claimed is: 

1 . An agent process for controlling access to digital assets in a data processing 
environment comprising: 

sensing atomic level asset access events, the sensing step located within 
an operating system kernel within a user client device; 

aggregating multiple atomic level events to determine a combined event; 

and 

asserting an encryption policy if a at least one combined event has 
occurred that matches a predefined digital asset usage risk policy. 

2. A process as in Claim 1 wherein the step of asserting the encryption policy is 
implemented in an operating system kernel of the client user device. 

3. A process as in Claim 1 additionally comprising: 

encrypting an associated digital asset. 

4. A process as in Claim 1 wherein the combined event is a time sequence of 
multiple atomic level events. 

5. A process as in Claim 2 that operates independently of application software. 

6. A process as in Claim 1 wherein the sensing, aggregating, and asserting steps 
operate in real time. 

7. A process as in Claim 1 additionally comprising: 

determining a sensitivity of a particular digital asset in the asset access 
event; and 
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adaptive encryption to the digital asset, optionally depending upon 
sensitivity of the particular digital asset. 

8. A process as in Claim 1 wherein the combined event specifies an action to be 
taken with the digital asset. 

9. A process as in Claim 2 additionally comprising: 

at the client user device, applying encryption of the encryption policy 
specified the digital asset to be encrypted. 

10. A process as in Claim 9 additionally comprising: 

forwarding the digital asset to a second client use device; and 
asserting an encryption policy at the second client use device. 

11. A process as in Claim 10 additionally comprising: 

applying decryption at the second client user device. 

12. A process as in Claim 9 additionally comprising: 

forwarding the digital asset to a second client user device; and 
not asserting an encryption policy at the second client user device, so 
that if the encryption policy specifies encryption, the digital asset cannot be read 
at the second client user device. 



